Functional Safety

What is functional safety?

We begin with a definition of safety. This is freedom from unacceptable risk of physical injury or of damage to the health of people, either directly, or indirectly as a result of damage to property or to the environment. Functional safety is part of the overall safety that depends on a system or equipment operating correctly in response to its inputs. For example, an over-temperature protection device, using a thermal sensor in the windings of an electric motor to de-energise the motor before they can overheat, is an instance of functional safety. But providing specialized insulation to withstand high temperatures is not an instance of functional safety (although it is still an instance of safety and could protect against exactly the same hazard). Neither safety nor functional safety can be determined without considering the systems as a whole and the environment with which they interact.

Example of functional safety

Consider a machine with a rotating blade that is protected by a hinged solid cover. The blade is accessed for routine cleaning by lifting the cover. The cover is interlocked so that whenever it is lifted an electrical circuit de-energizes the motor and applies a brake. In this way the blade is stopped before it could injure the operator. In order to ensure that safety is achieved, both hazard analysis and risk assessment are necessary.

The safety integrity of the safety function will depend on all the equipment that is necessary for the safety function to be carried out correctly, i.e. the interlock, the associated electrical circuit and the motor and braking system. Both the safety function and its safety integrity specify the required behaviour for the systems as a whole within a particular environment. To summarize, the hazard analysis identifies what has to be done to avoid the hazardous event, or events, associated with the blade. The risk assessment gives the safety integrity required of the interlocking system for the risk to be acceptable. These two elements, “What safety function has to be performed?” — the safety function requirements — and “What degree of certainty is necessary that the safety function will be carried out?” — the safety integrity requirements — are the foundations of functional safety.

Challenges in achieving functional safety

Safety functions are increasingly being carried out by electrical, electronic or programmable electronic systems. These systems are usually complex, making it impossible in practice to fully determine every failure mode or to test all possible behavior. It is difficult to predict the safety performance, although testing is still essential. The challenge is to design the system in such a way as to pre vent dangerous failures or to control them when they arise.

IEC 61508 — Functional safety of E/E/PE safety-related systems

IEC 61508 is concerned with functional safety, achieved by safety-related systems that are primarily implemented in electrical and/or electronic and/or programmable electronic (E/E/PE) technologies, i.e. E/E/PE safety related systems. The standard is generic in that it applies to these systems irrespective of their application. Some requirements of the standard relate to development activities where the implementation technology may not yet have been fully decided. This includes development of the overall safety requirements (concept, scope definition, hazard analysis and risk assessment). If there is a possibility that E/E/PE technologies might be used, the standard should be applied so that the functional safety requirements for any E/E/PE safety-related systems are determined in a methodical, risk-based manner.

Other requirements of the standard are not solely specific to E/E/PE technology, including documentation, management of functional safety, functional safety assessment and competence. All requirements that are not technology-specific might usefully be applied to other safety-related systems although these systems are not within the scope of the standard.

The following are examples of E/E/PE safety-related systems:

An E/E/PE safety-related system covers all parts of the system that are necessary to carry out the safety function (i.e. from sensor, through control logic and communication systems, to final actuator, including any critical actions of a human operator).

Safety integrity levels

IEC 61508 specifies 4 levels of safety performance for a safety function. These are called safety integrity levels. Safety integrity level 1 (SIL1) is the lowest level of safety integrity and safety integrity level 4 (SIL4) is the highest level. The standard details the requirements necessary to achieve each safety integrity level. These requirements are more rigorous at higher levels of safety integrity in order to achieve the required lower likelihood of dangerous failure.

An E/E/PE safety-related system will usually implement more than one safety function. If the safety integrity requirements for these safety functions differ, unless there is sufficient independence of implementation between them, the requirements applicable to the highest relevant safety integrity level shall apply to the entire E/E/PE safety-related system. If a single E/E/PE system is capable of providing all the required safety functions, and the required safety integrity is less than that specified for SIL1, then IEC 61508 does not apply.

Example of functional safety revisited

The safety function requirements and the safety integrity requirements constitute the functional safety requirements specification. These requirements must be fully determined before designing the E/E/PE safety-related system. In the example described in Clause 3, the functional safety requirements for the specific hazardous event could be stated as follows:

When the hinged cover is lifted by 5 mm or more, the motor shall be de-energized and the brake activated so that the blade is stopped within 1 second. The safety integrity level of this safety function shall be SIL2.

The functional safety requirements specification concerns behaviour of the safety-related system as a whole, within a particular environment. In this example, the E/E/PE safety-related system includes the guard interlock switch, the electrical circuit, contactors, the motor and the brake.

By Rajni Umakanthan, BDM - Asia Pacific Power & Controls